Google Git
Sign in
linux/linux/kernel/git/klassert/ipsec/refs/heads/master
commit
d849a2f7309fc0616e79d13b008b0a47e0458b6e
[log] [tgz]
author
Paul Moses <p@1g4.org>
Mon Mar 16 14:56:51 2026 +0000
committer
Steffen Klassert <steffen.klassert@secunet.com>
Tue Mar 17 11:43:14 2026 +0100
tree
f11cb03bf80c6a11b7cb6f0a1c9d46ede74bf5d1
parent
eb2d16a7d599dc9d4df391b5e660df9949963786 [diff]
xfrm: iptfs: only publish mode_data after clone setup

iptfs_clone_state() stores x->mode_data before allocating the reorder
window. If that allocation fails, the code frees the cloned state and
returns -ENOMEM, leaving x->mode_data pointing at freed memory.

The xfrm clone unwind later runs destroy_state() through x->mode_data,
so the failed clone path tears down IPTFS state that clone_state()
already freed.

Keep the cloned IPTFS state private until all allocations succeed so
failed clones leave x->mode_data unset. The destroy path already
handles a NULL mode_data pointer.

Fixes: 6be02e3e4f37 ("xfrm: iptfs: handle reordering of received packets")
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moses <p@1g4.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
1 file changed
tree: f11cb03bf80c6a11b7cb6f0a1c9d46ede74bf5d1
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. io_uring/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. rust/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .clippy.toml
  27. .cocciconfig
  28. .editorconfig
  29. .get_maintainer.ignore
  30. .gitattributes
  31. .gitignore
  32. .mailmap
  33. .pylintrc
  34. .rustfmt.toml
  35. COPYING
  36. CREDITS
  37. Kbuild
  38. Kconfig
  39. MAINTAINERS
  40. Makefile
  41. README